foundation/packages/pulumi-vault/VENDORED.md

53 lines
2.9 KiB
Markdown
Raw Permalink Normal View History

# VENDORED — `@olsitec/pulumi-vault`
**Source (absolute path):** `/Users/andiolsi/work/olsicloud4/pulumi/modules/vault/`
**Copy date:** 2026-06-30
**Stage:** Stage-1 vendoring per [`documentation/000_TOPOLOGY.md` §5](../../documentation/000_TOPOLOGY.md).
## What this is
A verbatim copy of the olsicloud4 `modules/vault` Pulumi module — the Vault init/unseal
capture (`VaultInitialization`) and the secret-engine/AppRole bootstrap
(`VaultBootstrap`, `VaultExternalSecretsClusterAppRole`, `VaultProject`) plus the admin
policy (`policy.ts`). Core of the foundation secret layer (ADR-004, PLAN-002 §4). At
day-zero `bootstrap/` consumes it locally through the Bun workspace, not from a registry.
## What was copied
`index.ts`, `policy.ts`, `package.json`, `tsconfig.json`, `.editorconfig`, `.gitignore`.
**Not copied:** `node_modules/`, `package-lock.json` (lockfiles), `.git/`.
## Changes made vs. the source
- `package.json` `name`: `vault``@olsitec/pulumi-vault`; added `version` (`0.0.0`,
pre-publish placeholder) and `main`/`types` (`index.ts`) for Bun-workspace resolution.
- **Type-only re-home (no logic change):** the upstream `index.ts` imports five
*purely type-level* declarations from its sibling module `../../modules/olsitec`
(`OlsitecProjectFeatureFlags`, `OlsitecCredentialTypes`, `GitProjectCredentials`,
`OciRegistryCredentials`, `MinioBackupProjectCredentials`). That sibling transitively
pulls in `modules/minio`, `modules/gitlab`, and `modules/kubernetes`, none of which
belong in the foundation egg and none of which are vendored. To keep this package
self-contained, those five type declarations were copied **verbatim** into a new local
file `olsitec-types.ts`, and the one import line in `index.ts` was re-pointed from
`../../modules/olsitec` to `./olsitec-types`. This is the **only** edit to `index.ts`;
no runtime/behavioural logic changed.
- `tsconfig.json` `files`: added `policy.ts` and `olsitec-types.ts` so the package
type-checks standalone (`tsc --noEmit`).
> **Note (out of scope for T02):** `VaultProject` and `VaultBootstrap` still reference
> minio/garage/cockroach/mongo credential shapes inherited from the Layer-1 olsitec module.
> The foundation egg only needs `VaultInitialization` (init/unseal capture) + `VaultBootstrap`.
> Trimming the unused Layer-1 surface is a deliberate later refactor (000_TOPOLOGY.md §5.1
> "refactor for Layer 0"), NOT part of Stage-1 vendoring — Stage 1 preserves the source as-is.
## Lifecycle (000_TOPOLOGY.md §5)
- **Stage 1 — VENDOR (this commit):** copied here; consumed locally via Bun workspace.
- **Stage 2 — PUBLISH (later task):** CI publishes `@olsitec/pulumi-vault@<semver>` to the
foundation Forgejo npm registry once it exists.
- **Stage 3 — CONSUME (steady state):** downstream switches imports to the published package;
the old module is frozen then removed.
Do not refactor the vendored logic here beyond the type-only re-home documented above.